Several healthcare chief information security officers have established a council to develop best practices for managing third-party risks.
The CISOs want to limit the security risks that vendors can inflict on hospitals and other provider venues, starting with the supply chain.
Many provider organizations do not have the expertise and resources to conduct proper vetting and monitoring of third-parties working within the facility, so the early work will focus on building common vetting and oversight practices that can be applied nationwide and internationally.
“The primary challenge is organizations can engage vendors of various sizes, maturity and complexity without really knowing whether the vendor should be engaged in the first place based on their beliefs and investments in cybersecurity,” said Taylor Lehmann, CISO at Wellforce, the parent company of Tufts Medical Center and Floating Hospital for Children.
In addition to Tufts, founding healthcare systems include Allegheny Health Network, Cleveland Clinic, University of Rochester Medical Center; UPMC, and Vanderbilt University Medical Center.
These charter organizations and other providers who join the effort will require third-party vendors to become HITRUST CSF Certified within the next two years, starting September 1, 2018. HITRUST CSF is an industry privacy and security framework that is continuously evolving with the changing cyber landscape.
The CISO program to compel vendors to become certified includes a significant incentive for vendors to improve their security posture.
Vendors with HITRUST CSF certification showing up at a participating medical center to promote their products will forgo having to go through an assessment process and the hospitals will make it easier to get the products they want in the facility and being used when working with patients.
“Vendors who do not possess HITRUST certification for their products within the timeframe will not meet our security requirements for our medical centers,” said Lehmann. “As a result, their products and services will not be eligible to be used and removed from purchasing options we offer our stakeholders. We will look to acquire products only from those who have protections and certifications consistent with the Council’s mission–specifically HITRUST certification.”
That means works needs to start now for vendors who require time to get certified, as the average time period from starting with nothing to finishing certification should be about 14 to 18 months.
Initially, the certification program will focus on eight core focus areas: biomedical, medical device management, health IT information security, compliance, human resources, privacy/training/awareness, education and research.
Once the program is established among larger facilities, smaller hospitals will get assistance in joining the program, Lehmann noted. “The goal is to have a national impact and to help everyone.”
Further, the program likely will form additional requirements on vendors such as breach response, continuous monitoring of vendors on the Internet and improved identification of IT compromises and threats.
“We believe the healthcare industry as a whole, our organizations and our third-parties will benefit from a common set of information security requirements with a standardized assessment and reporting process,” said John Houston, vice president of privacy and security and associate counsel at UPMC.